summaryrefslogtreecommitdiff
path: root/hosts/sif/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif/default.nix')
-rw-r--r--hosts/sif/default.nix161
1 files changed, 38 insertions, 123 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index 0897e1d8..2dcf5459 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -12,10 +12,9 @@ let
12in { 12in {
13 imports = with flake.nixosModules.systemProfiles; [ 13 imports = with flake.nixosModules.systemProfiles; [
14 ./hw.nix 14 ./hw.nix
15 ./mail ./libvirt ./greetd 15 ./email ./libvirt ./greetd
16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager 16 tmpfs-root bcachefs initrd-all-crypto-modules default-locale openssh rebuild-machines niri-unstable networkmanager lanzaboote zswap
17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1 17 flakeInputs.nixos-hardware.nixosModules.lenovo-thinkpad-p1
18 flakeInputs.impermanence.nixosModules.impermanence
19 flakeInputs.nixVirt.nixosModules.default 18 flakeInputs.nixVirt.nixosModules.default
20 ]; 19 ];
21 20
@@ -34,6 +33,10 @@ in {
34 initrd = { 33 initrd = {
35 systemd = { 34 systemd = {
36 emergencyAccess = config.users.users.root.hashedPassword; 35 emergencyAccess = config.users.users.root.hashedPassword;
36 extraBin = {
37 "vim" = lib.getExe pkgs.vim;
38 "grep" = lib.getExe pkgs.gnugrep;
39 };
37 }; 40 };
38 luks.devices = { 41 luks.devices = {
39 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; }; 42 nvm0 = { device = "/dev/disk/by-uuid/bef17e86-d929-4a60-97cb-6bfa133face7"; bypassWorkqueues = true; };
@@ -47,35 +50,22 @@ in {
47 50
48 blacklistedKernelModules = [ "nouveau" ]; 51 blacklistedKernelModules = [ "nouveau" ];
49 52
50 # Use the systemd-boot EFI boot loader. 53 lanzaboote.configurationLimit = 15;
51 loader = { 54 loader = {
52 systemd-boot = {
53 enable = true;
54 configurationLimit = 15;
55 netbootxyz.enable = true;
56 };
57 efi.canTouchEfiVariables = true; 55 efi.canTouchEfiVariables = true;
58 timeout = null; 56 timeout = null;
59 }; 57 };
60 58
61 plymouth.enable = true; 59 plymouth.enable = true;
62 60
63 kernelPackages = pkgs.linuxPackages_latest; 61 kernelPackages = pkgs.linuxPackages_6_18;
64 kernelPatches = [ 62 consoleLogLevel = 3;
65 { name = "edac-config"; 63 kernelParams = [
66 patch = null; 64 "quiet"
67 extraStructuredConfig = with lib.kernel; { 65 "boot.shell_on_fail"
68 EDAC = yes; 66 "udev.log_priority=3"
69 EDAC_IE31200 = yes; 67 "rd.systemd.show_status=auto"
70 }; 68 "plymouth.use-simpledrm"
71 }
72 { name = "zswap-default";
73 patch = null;
74 extraStructuredConfig = with lib.kernel; {
75 ZSWAP_DEFAULT_ON = yes;
76 ZSWAP_SHRINKER_DEFAULT_ON = yes;
77 };
78 }
79 ]; 69 ];
80 70
81 tmp.useTmpfs = true; 71 tmp.useTmpfs = true;
@@ -98,6 +88,8 @@ in {
98 server ptbtime2.ptb.de prefer iburst nts 88 server ptbtime2.ptb.de prefer iburst nts
99 server ptbtime3.ptb.de prefer iburst nts 89 server ptbtime3.ptb.de prefer iburst nts
100 server ptbtime4.ptb.de prefer iburst nts 90 server ptbtime4.ptb.de prefer iburst nts
91 pool ntppool1.time.nl prefer iburst nts
92 pool ntppool2.time.nl prefer iburst nts
101 93
102 authselectmode require 94 authselectmode require
103 minsources 3 95 minsources 3
@@ -126,40 +118,16 @@ in {
126 rulesetFile = ./ruleset.nft; 118 rulesetFile = ./ruleset.nft;
127 }; 119 };
128 120
129 # firewall = {
130 # enable = true;
131 # allowedTCPPorts = [ 22 # ssh
132 # 8000 # quickserve
133 # ];
134 # };
135
136 # wlanInterfaces = {
137 # wlan0 = {
138 # device = "wlp82s0";
139 # };
140 # };
141
142 # bonds = {
143 # "lan" = {
144 # interfaces = [ "wlan0" "enp0s31f6" "dock0" ];
145 # driverOptions = {
146 # miimon = "1000";
147 # mode = "active-backup";
148 # primary_reselect = "always";
149 # };
150 # };
151 # };
152
153 useDHCP = false; 121 useDHCP = false;
154 useNetworkd = true; 122 useNetworkd = true;
155
156 # interfaces."tinc.yggdrasil" = {
157 # virtual = true;
158 # virtualType = config.services.tinc.networks.yggdrasil.interfaceType;
159 # macAddress = "5c:93:21:c3:61:39";
160 # };
161 }; 123 };
162 124
125 environment.etc."NetworkManager/dnsmasq.d/dnssec.conf" = {
126 text = ''
127 conf-file=${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf
128 dnssec
129 '';
130 };
163 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = { 131 environment.etc."NetworkManager/dnsmasq.d/libvirt_dnsmasq.conf" = {
164 text = '' 132 text = ''
165 except-interface=virbr0 133 except-interface=virbr0
@@ -402,19 +370,6 @@ in {
402 ]; 370 ];
403 371
404 services = { 372 services = {
405 uucp = {
406 enable = true;
407 nodeName = "sif";
408 remoteNodes = {
409 "ymir" = {
410 publicKeys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG6KNtsCOl5fsZ4rV7udTulGMphJweLBoKapzerWNoLY root@ymir"];
411 hostnames = ["ymir.yggdrasil.li" "ymir.niflheim.yggdrasil"];
412 };
413 };
414
415 defaultCommands = lib.mkForce [];
416 };
417
418 avahi.enable = true; 373 avahi.enable = true;
419 374
420 fwupd.enable = true; 375 fwupd.enable = true;
@@ -431,10 +386,10 @@ in {
431 386
432 thinkfan.enable = true; 387 thinkfan.enable = true;
433 388
434 logind = { 389 logind.settings.Login = {
435 lidSwitch = "suspend"; 390 HandleLidSwitch = "suspend";
436 lidSwitchDocked = "lock"; 391 HandleLidSwitchDocked = "ignore";
437 lidSwitchExternalPower = "lock"; 392 HandleLidSwitchExternalPower = "ignore";
438 }; 393 };
439 394
440 atd = { 395 atd = {
@@ -476,11 +431,6 @@ in {
476 431
477 systemd.tmpfiles.settings = { 432 systemd.tmpfiles.settings = {
478 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime"; 433 "10-localtime"."/etc/localtime".L.argument = "/.bcachefs/etc/localtime";
479
480 # "10-regreet"."/var/cache/regreet/cache.toml".C.argument = toString ((pkgs.formats.toml {}).generate "cache.toml" {
481 # last_user = "gkleen";
482 # user_to_last_sess.gkleen = "Niri";
483 # });
484 }; 434 };
485 435
486 users = { 436 users = {
@@ -606,10 +556,9 @@ in {
606 # setLdLibraryPath = true; 556 # setLdLibraryPath = true;
607 }; 557 };
608 558
609 firmware = [ pkgs.firmwareLinuxNonfree ]; 559 firmware = [ pkgs.linux-firmware ];
610 560
611 keyboard.uhk.enable = true; 561 keyboard.uhk.enable = true;
612 nitrokey.enable = true;
613 }; 562 };
614 563
615 # sound.enable = true; 564 # sound.enable = true;
@@ -640,25 +589,6 @@ in {
640 589
641 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf; 590 environment.etc."X11/xorg.conf.d/50-wacom.conf".source = lib.mkForce ./wacom.conf;
642 591
643 systemd.services."ac-plugged" = {
644 description = "Inhibit handling of lid-switch and sleep";
645
646 path = with pkgs; [ systemd coreutils ];
647
648 script = ''
649 exec systemd-inhibit --what=handle-lid-switch --why="AC is connected" --mode=block sleep infinity
650 '';
651
652 serviceConfig = {
653 Type = "simple";
654 };
655 };
656
657 services.udev.extraRules = with pkgs; lib.mkAfter ''
658 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="0", RUN+="${systemd}/bin/systemctl --no-block stop ac-plugged.service"
659 SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service"
660 '';
661
662 systemd.services."nix-daemon".serviceConfig = { 592 systemd.services."nix-daemon".serviceConfig = {
663 MemoryAccounting = true; 593 MemoryAccounting = true;
664 MemoryHigh = "50%"; 594 MemoryHigh = "50%";
@@ -682,6 +612,10 @@ in {
682 dconf.enable = true; 612 dconf.enable = true;
683 niri.enable = true; 613 niri.enable = true;
684 fuse.userAllowOther = true; 614 fuse.userAllowOther = true;
615 captive-browser = {
616 enable = true;
617 interface = "wlp82s0";
618 };
685 }; 619 };
686 620
687 services.pcscd.enable = true; 621 services.pcscd.enable = true;
@@ -693,11 +627,6 @@ in {
693 group = "users"; 627 group = "users";
694 }; 628 };
695 629
696 i18n.inputMethod = {
697 enable = true;
698 type = "ibus";
699 };
700
701 environment.sessionVariables."GTK_USE_PORTAL" = "1"; 630 environment.sessionVariables."GTK_USE_PORTAL" = "1";
702 xdg.portal = { 631 xdg.portal = {
703 enable = true; 632 enable = true;
@@ -708,7 +637,7 @@ in {
708 "org.freedesktop.impl.portal.OpenFile" = ["gtk"]; 637 "org.freedesktop.impl.portal.OpenFile" = ["gtk"];
709 "org.freedesktop.impl.portal.Access" = ["gtk"]; 638 "org.freedesktop.impl.portal.Access" = ["gtk"];
710 "org.freedesktop.impl.portal.Notification" = ["gtk"]; 639 "org.freedesktop.impl.portal.Notification" = ["gtk"];
711 "org.freedesktop.impl.portal.Secret" = ["gnome-keyring"]; 640 "org.freedesktop.impl.portal.Secret" = ["none"];
712 "org.freedesktop.impl.portal.Inhibit" = ["none"]; 641 "org.freedesktop.impl.portal.Inhibit" = ["none"];
713 }; 642 };
714 }; 643 };
@@ -718,7 +647,7 @@ in {
718 directories = [ 647 directories = [
719 "/nix" 648 "/nix"
720 "/root" 649 "/root"
721 "/home" 650 "/home"
722 "/var/log" 651 "/var/log"
723 "/var/lib/sops-nix" 652 "/var/lib/sops-nix"
724 "/var/lib/nixos" 653 "/var/lib/nixos"
@@ -728,33 +657,19 @@ in {
728 "/var/lib/bluetooth" 657 "/var/lib/bluetooth"
729 "/var/lib/upower" 658 "/var/lib/upower"
730 "/var/lib/postfix" 659 "/var/lib/postfix"
660 "/var/lib/regreet"
731 "/etc/NetworkManager/system-connections" 661 "/etc/NetworkManager/system-connections"
732 { directory = "/var/uucp"; user = "uucp"; group = "uucp"; mode = "0700"; } 662 config.boot.lanzaboote.pkiBundle
733 { directory = "/var/spool/uucp"; user = "uucp"; group = "uucp"; mode = "0750"; }
734 ]; 663 ];
735 files = [ 664 files = [
736 ]; 665 ];
666 timezone = true;
737 }; 667 };
738 668
739 systemd.services.timezone = { 669 security.pam.services.quickshell = {};
740 wantedBy = [ "multi-user.target" ];
741 serviceConfig = {
742 Type = "oneshot";
743 RemainAfterExit = true;
744 ExecStart = "${pkgs.coreutils}/bin/cp -vP /.bcachefs/etc/localtime /etc/localtime";
745 ExecStop = "${pkgs.coreutils}/bin/cp -vP /etc/localtime /.bcachefs/etc/localtime";
746 };
747 };
748 services.tzupdate.enable = true;
749
750 security.pam.services.gtklock = {};
751 670
752 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ]; 671 home-manager.sharedModules = [ flakeInputs.nixVirt.homeModules.default ];
753 672
754 environment.pathsToLink = [
755 "share/zsh"
756 ];
757
758 system.stateVersion = "24.11"; 673 system.stateVersion = "24.11";
759 }; 674 };
760} 675}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-26 16:32:31 +0000